Remove non-literal-regexp and -fs-filename rules from Semgrep and eslint
Problem to solve
A number of eslint, and the matching semgrep eslint, rules output a significant amount of false positives. The detect-object-injection
rule in particular matches on almost every access to an object's properties via []
notation.
Proposal
Remove the following rules from both Semgrep and eslint:
detect-non-literal-fs-filename
detect-non-literal-regexp
Document how to find and restore the rules if people want them, perhaps as a disabled_rules.yaml
file or similar at a documented path. Interested customers could then use the existing rule customization features to add back this or similar rules if desired.
Split from Remove high-FP-rate `detect-object-injection` e... (#351399 - closed)
What does success look like, and how can we measure that?
Our FP rates, or rates of dismissal, decreases for these analyzers.
What is the type of buyer?
GitLab Ultimate buyer, but useful to all users across tiers.
Links / references
Internal links (team members only):